-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lorenzo Thurman wrote: > Can someone provide me with pointers on how I can be sure my Apache > installation is as secure as possible? I've been running Linux for > several years now and an Apache web server for the last few. I follow > guidelines on how to set it up and secure it, but I'd really be > interested in ways that I can audit my installation for potential > failings. Is there some application I can run that will tell me how well > its setup? > Thanks > > > > "There are 10 types of people in this world: those who understand > binary, those who don't" > > --Unknown > >
Something I always do on my servers is make GCC and compiler tools such as /usr/bin/(gcc|g++) etc., in a "programming" group. Then set the executable chmod 750. This way unless I add a user to programming group, they can't compile things. This stop a LOT of worms/apache hacks as they upload code and then compile it. I also set my tmp dir to noexec so anything that got dumped in their can't be run. Depending on how you run you site, that could be done on your htdocs dir too. To set noexec, add it to your fstab. For example, /dev/ida/disc0/part3 /tmp reiserfs noatime,noexec 0 0 Remove any unused modules, especially proxy. If you're not using SSL disable that too. As it could be exploited if a OpenSSL hole is found. Maybe change "ServerSignature" to Email on commonapache2.conf. This will hide the version of apache and OS. Just another thing to slow someone down. And as suggested, run Nessus against it. Hope this helps, - -- Greg Watson Security and Technology Manager Department of Military & Veterans Affairs GPG: 0C5B3510 Keyservers: ldap://certserver.pgp.com, pgp.dtype.org Fingerprint: 6DC2 9DE6 98E6 A401 33EC 3F70 C95C 794A 0C5B 3510 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD4DBQFCpxbryVx5SgxbNRARAkWFAJjqgGnE7SeI7d+NOFVWqPu9xNhGAKCm5FzE LZ486typ45X/eQoQJzDPOg== =V3bo -----END PGP SIGNATURE----- -- [email protected] mailing list
